Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
6
Replies

Translating PAT From Public IP to Inside Address

Go to solution
Tshi M
Level 5
Level 5

‎02-02-2012 07:22 AM - edited ‎03-11-2019 03:23 PM

Is it possible with the Cisco ASA to translate an outside address to an internal address during PAT? So i want to do is to dynamic outside address translation after the PAT. So if a user on the outside connects to us thru a PAT rule, his outside is translated to an inside address.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tshi M

‎02-02-2012 11:58 AM

Hello Tshi,

You will need:

access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078

nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tshi M

‎02-02-2012 12:44 PM

Hello Tshi,

That new ACL that I provided you is not applied to the outside interface so not worry for that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-02-2012 10:52 AM

Hello,

So 192.168.12.0/24inside ----ASA------outside2.2.2.0/24

You want that if a outside users go into your network gets patted to 192.168.12.x right??

If that is what you are looking for, yes that is possible on the ASA!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tshi M
Level 5
Level 5
In response to Julio Carvajal

‎02-02-2012 11:26 AM

Yes, exactly. I have some PAT commands configured. How do I go by doing that?

static (inside,outside) tcp VIP 3078 172.16.1.68 ssh netmask 255.255.255.255

static (inside,outside) tcp VIP 7500 172.16.1.4 1433 netmask 255.255.255.255

i want when a user establishes a connection to VIP or either port, the public IP address get translated to 172.16.1.x

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tshi M

‎02-02-2012 11:58 AM

Hello Tshi,

You will need:

access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078

nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tshi M
Level 5
Level 5
In response to Julio Carvajal

‎02-02-2012 12:18 PM

Julio,

Thanks indeed..I will try this shortly. Does it matter if I already have an access-list applied to the outside interface...Or can I just use it  with nat 10?

access-list FROM_INTERNET extended permit tcp any host VIP eq 3078

access-list FROM_INTERNET extended permit tcp any host VIP eq 7500

access-group FROM_INTERNET in interface outside

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tshi M

‎02-02-2012 12:44 PM

Hello Tshi,

That new ACL that I provided you is not applied to the outside interface so not worry for that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tshi M
Level 5
Level 5
In response to Julio Carvajal

‎02-02-2012 07:51 PM

Julio,

Thanks indeed...this was extremely helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card